WinSecWiki > Security Settings > Account Policies > Lockout Policy
Windows Account Lockout Policy
Account lockout is a useful method for slowing down online password-guessing attacks as well as to compensate for weak password policies. These three policies work together to limit the number of consecutive, within a period of time, logon attempts that fail due to a bad password.
To strengthen account lockout policy, increase Account lockout duration, decrease Account lockout threshold and increase Reset account lockout counter after. Making these policies too strict though can lead to premature account lockouts and increased helpdesk support calls.
Policy Scope
All of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level. Also see the article "Fine Grained Password and Lockout Policy".
Policies
Example policies
The following policy is too weak; it would only trigger lockouts for very brazen password guessing attacks.
- Account lockout duration: 5 minutes
- Account lockout threshold: 15 invalid logon attempts
- Reset account lockout after: 5 minutes
The following policy will limit an attacker to 10 consecutive logon attempts during any 24 hour period and require an administrator to unlock the account:
- Account lockout duration: 1440 minutes
- Account lockout threshold: 10 invalid logon attempts
- Reset account lockout after: 0 minutes
Troubleshooting
Administrators frequently struggle with repeated unexplained and seemingly spontaneous account lockouts for a given user account. This is frequently due to a workstation where a user account remains logged on after that account’s password been changed elsewhere. But there are many other possible reasons including stored credentials, programs that cache credentials, scheduled tasks, services, persistent track mappings, Active Directory replication problems and disconnected Terminal Services sessions.
Microsoft has produced a number of resources to help diagnose this problem.
Remember that, for domain accounts, Active Directory enforces just one account lockout policy for all domain user accounts in the entire domain. This policy is defined in the Default Domain Policy GPO linked to the root of the command. See upper level for more information.
Child articles:
Back to top